The CISO as the Man-in-the-Middle

If you’ve been working in or around the IT security field for any amount of time, you are probably quite familiar with the term “Man-in-the-Middle” (MitM) as it relates to a method of attack.

What I’m even more interested in these days is an emerging typology, the new Man-in-the-Middle – or what I like to describe as being the “MitM Redux” – and in this context we are not referring to an attack method, but instead applying the term to describe a role that is becoming all the more common.

Security practitioners and infosec students who have crammed for the CISSP and GISP certification exams understand MitM to be a type of crypto attack that is usually explained by using the now ubiquitous characters Alice, Bob and Mallory.

In the parable, Alice thinks she’s communicating privately with her friend Bob, but in actuality the malicious Mallory has secretly inserted herself in the middle of the conversation and is effectively eavesdropping on them, and in some instances she is able to also modify some the messages as she relays them between the two unwitting conversants.

The Man-in-the-Middle attack at one point in time was considered to be quite innovative, but not so much today. Would-be miscreants who want to utilize the technique can now simply buy the components “off the shelf” to carry out such an attack by employing ready-made toolkits like Ettercap, dsniff and Mallory (a creative use of the classic MitM character’s name).

As interesting as they are, the goal of this discussion is not to further examine Man-in-the-Middle as an attack, but instead I seek to expand the terminology to describe the new CISO, who has become the real Man-in-the-Middle, increasingly finding him or herself caught between two very different worlds.

The first of these is the executive world, where they need to be able to connect security to the business by practicing the soft art of Influence Without Power when speaking to a new audience in terms of critical business functions, of how security risks translate into business risks, of profit/loss considerations and EBITDA – and if you know what the abbreviation means, then you may well be MitM CISO.

The second and more familiar world is that of thetechnical, where the CISO must continue to effectively communicate in terms of the attack surface, of incident management, of controls and control objectives, of CIS benchmarks and network defense testing.

Many security and business analysts have attempted to qualify the dynamics of this evolving role for the new CISO, but in my honest opinion none have done a better job at it than the authors of a study conducted by IBM’s Center for Applied Insights, aptly titled Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment (the detailed results of which can be downloaded here at no cost).

The IBM report offers up some excellent data and provides some useful findings, some examples of which I found particularly interesting and included:

The Focus is Shifting Towards Risk Management: “In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues.”

The Archetypes are Real:CISOs and security leaders can be grouped into archetypes which include Responders, Protectors and Influencers, and each persona has a very distinct modus operandi in regards to working with and through their organizations. The report does a great job of not only fleshing out these different archetypes; it also provides keen insight into how one can morph from one archetype to the others.

A Shift in Focus from the Local to the Global: “In general, the role of information security will be moving away from specific risks to global risks. The role will be much larger than it used to be,”the authors noted.

Measures Really Matter: Think of this as gaining insight from the process of obtaining metrics, and not just from the numbers themselves. “Although metrics can be a challenge to define and capture, that should not deter organizations from implementing them. Measurement may be imprecise at first but will improve over time – and the process itself can drive valuable insight,” the report states.

I saw a lot of reports last year on the evolution that is defining the role of the new CISO, but this report is by far the best in show.

In the most general of terms, it illustrates the choice most all CISOs will face: Whether to continue being the “middleman” who translates up the chain and manages down through the organization while never really getting to land on one side or the other, or instead being more like the innovative CIOs and CFOs who before them had struggled to assume their rightful place at the strategy table, but only after mastering the soft skills required for executive leadership.

I think most CISOs will opt for the latter of the two choices, and it is up to those of us who call ourselves security vendors and professionals to help them make this important transition.